Professional Documents
Culture Documents
May 2007
ii
Project Report in
Partial Fulfillment of the
Requirement for the Award of a
Bachelor’s Degree in Telecommunications Engineering
Reg. NO 03/U/405/GV
iii
1st 2nd Av
Project Report in
Partial Fulfillment of the
Requirement for the Award of a
Bachelor’s Degree in Telecommunications Engineering
iv
DECLARATION
I, Opira Moses Alfonse, declare that this project is my original work achieved as a
result of having made intensive research about software-based monitoring tools. This
work has never been submitted in any academic institution for the award of a degree
or anything else whatsoever.
I thus hereby present this project as consideration for the partial fulfillment of the
award of a Bachelor‟s Degree in Telecommunications Engineering as my final year
project.
Author:
OPIRA MOSES ALFONSE
B. Eng. Telecom. Eng. /IV
03/U/405/GV
Sign.……………………………
Date: ……………………………
v
APPROVAL
I hereby approve that Opira Moses Alfonse has solely undertaken the aforementioned
project as partial fulfillment for the award of a Bachelors Degree in
Telecommunications Engineering, fourth year.
Internal Supervisor:
Sign. …………………………. .
Date ……………………………
External Supervisor:
Sign. …………………………. .
Date ……………………………
vi
DEDICATION
This project report is dedicated to my father, Mr. Moris Opira-P‟oria and mother Mrs.
Agnes Kaluba-Opira for all the constant support and undying love they have always
given me.
vii
TABLE OF CONTENTS
DECLARATION ................................................................................................................................... V
APPROVAL ..........................................................................................................................................VI
DEDICATION .................................................................................................................................... VII
TABLE OF CONTENTS ................................................................................................................. VIII
ACKNOWLEDGEMENTS .................................................................................................................. X
ABREVIATIONS AND ACRONYMS ...............................................................................................XI
LIST OF FIGURES .......................................................................................................................... XIII
LIST OF SYMBOLS ......................................................................................................................... XIV
LIST OF TABLES .............................................................................................................................. XV
ABSTRACT ....................................................................................................................................... XVI
CHAPTER ONE ..................................................................................................................................... 1
INTRODUCTION ................................................................................................................................... 1
1.0 Background to the Study ................................................................................................. 1
1.1 Problem Statement ........................................................................................................... 2
1.2 Aim ................................................................................................................................... 3
1.3 Objectives ......................................................................................................................... 3
1.4 Significance of the Study ................................................................................................. 3
1.5 Scope of the Study ............................................................................................................ 4
1.6 Methodology ..................................................................................................................... 4
1.7 Summary .......................................................................................................................... 5
CHAPTER TWO .................................................................................................................................... 6
THEORETICAL BACKGROUND ............................................................................................................ 6
2.0 Overview of Network Monitoring .................................................................................... 6
2.1 Network Monitoring Parameters ..................................................................................... 6
2.1.1 Importance of Bandwidth ........................................................................................................ 7
2.1.1.1 Bandwidth Measurements ............................................................................................. 7
2.2 Network Monitoring Modes ............................................................................................. 9
2.2.1 Passive Monitoring ................................................................................................................... 9
2.2.2 Active Monitoring: ................................................................................................................... 9
2.3 Network Architectures ..................................................................................................... 9
2.3.1 Local Area Networks .............................................................................................................. 10
2.3.2 Wide Area Networks .............................................................................................................. 10
2.4 Network Models ............................................................................................................. 10
2.4.1 OSI Reference model .............................................................................................................. 10
2.4.2 TCP/IP model ......................................................................................................................... 12
2.4.3 OSI Network Management model ......................................................................................... 13
2.5 Network Protocols .......................................................................................................... 14
2.5.1 Layer 4 Protocols .................................................................................................................... 15
2.5.2 Layer 3 Protocols .................................................................................................................... 16
2.5.3 Layer 2 Protocols .................................................................................................................... 16
2.5.4 Layer 1 Protocols .................................................................................................................... 16
2.6 Port Numbers ................................................................................................................. 17
2.6.1 Well-known port numbers ..................................................................................................... 17
2.7 Data Encapsulation and Decapsulation ........................................................................ 18
2.7.1 Encapsulation/Decapsulation Process ................................................................................... 18
2.7.2 Ethernet Frame Structure ..................................................................................................... 19
2.8 Approaches to Network Monitoring .............................................................................. 20
2.8.1 Software-based Monitoring Tools ......................................................................................... 20
2.8.2 Command-line utilities ........................................................................................................... 21
2.8.3 SNMP Approach .................................................................................................................... 22
2.9 WinPcap Architecture .................................................................................................... 22
2.9.1 Structure of the Capture Stack ............................................................................................. 23
viii
2.9.1.1 Network Level .............................................................................................................. 23
2.9.1.2 Kernel-Level ................................................................................................................. 23
2.9.1.3 User-Level..................................................................................................................... 23
2.10 Application Programming Interface ............................................................................. 25
2.11 Summary ........................................................................................................................ 25
CHAPTER THREE.............................................................................................................................. 26
DESIGN AND IMPLEMENTATION ....................................................................................................... 26
3.0 Design Stages ................................................................................................................. 26
3.1 Dynamic Link Library ................................................................................................... 26
3.1.1 Loading the Dynamic Link Library ...................................................................................... 26
3.1.2 Getting Function Addresses ................................................................................................... 27
3.2 Program Algorithm ........................................................................................................ 28
3.3 High-Level Programming.............................................................................................. 29
3.4 Graphical User Interface ............................................................................................... 29
3.4 Summary ........................................................................................................................ 30
CHAPTER FOUR ................................................................................................................................ 31
TESTING AND EVALUATION .............................................................................................................. 31
4.0 Test Bed Design ............................................................................................................. 31
4.1 Evaluation of Results ..................................................................................................... 32
4.1.1 Captured Devices .................................................................................................................... 32
4.1.2 IP Information ........................................................................................................................ 33
4.1.3 Capture Statistics ................................................................................................................... 34
4.2 Applications.................................................................................................................... 34
4.3 Limitations ..................................................................................................................... 35
4.4 Scheduling of Tasks ....................................................................................................... 35
4.5 Project Costing ............................................................................................................... 35
CONCLUSION ..................................................................................................................................... 36
RECOMMENDATIONS ..................................................................................................................... 38
BIBLIOGRAPHY................................................................................................................................. 39
TEXTBOOK REFERENCES.................................................................................................................. 39
CATALOGUES .................................................................................................................................... 39
TECHNICAL REPORTS AND JOURNALS ............................................................................................. 39
MANUALS .......................................................................................................................................... 40
APPENDICES ...................................................................................................................................... 41
APPENDIX A: PROJECT COSTING ............................................................................................... 41
APPENDIX B: WORK BREAKDOWN STRUCTURE ........................................................................ 42
APPENDIX C: TRACKING GANTT CHART.................................................................................... 43
APPENDIX D: WELL KNOWN PORT NUMBERS ........................................................................... 44
APPENDIX E: EXPORTED WINPCAP FUNCTIONS ....................................................................... 46
ix
ACKNOWLEDGEMENTS
First and foremost, I wish to extend my sincere thanks to the Almighty Lord for
having kept me well all throughout the entire period of the project work.
I also convey my sincere gratitude to my supervisor, Mr. George Waligo for being my
mentor and inspiring me to reaching greater heights.
Many thanks also go to my parents for their loving care and support they have always
shown in many ways more than one.
x
ABREVIATIONS AND ACRONYMS
xi
NDIS Network Driver Interface Specification)
NFS Network File System
NIC Network Interface Card
OSI Open System Interconnection
PDU Protocol Data Unit
PPP Point-to-Point Protocol
RARP Reverse Address Resolution Protocol
RFC Request for Comments
SDK Standard Development Kit
SLIP Serial Line Internet Protocol
RARP Reverse Address Resolution Protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SONET Synchronous Optical Network
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TIA Telecommunications Industry Association
UDP User Datagram Protocol
VoIP Voice over IP
WAN Wide Area Network
Win32 Windows 32-bit Operating System
WinPcap Windows Packet Capture
WWW World Wide Web
XP eXtreme Programming
xii
LIST OF FIGURES
xiii
LIST OF SYMBOLS
xiv
LIST OF TABLES
xv
ABSTRACT
Computer networks have been experiencing exponential growth over the past few
decades. As a result the need for network monitoring has become a vital aspect for
ensuring network efficiency. With over 50,000 networks, 6 million hosts, 30 million
users and still counting, the World Wide Web (WWW) has become the dominant
network accelerating Internet growth. This project analyzes the need to develop a
software-based monitoring tool capable of monitoring various network parameters
essential for optimizing network performance and ensuring efficient use of network
resources.
Such a tool should be able to aid network administrators in simplifying their daily
tasks of ensuring that network performance is achieved to desired standards. A large
set of network monitoring tools currently existing on the market today are generally
accessible only to network engineers and tend to be very expensive due to the
integration of hardware and/or are vendor specifications or limited in scope of the
parameters to which they monitor.
This project therefore sets out to design software tailored to specific user requirements
that can be easily upgraded to meet future needs or demands. The software-based
solution is meant to provide accurate, comprehensive, flexible, in-expensive and on-
demand, network monitoring capabilities throughout the entire network and inter-
connecting segments.
xvi
CHAPTER ONE
Introduction
1.0 Background to the Study
The field of network management has become a vital aspect in modern computer
networks. Today‟s networks tend to be heterogeneous, comprising of a variety of
computers, hubs, switches, bridges, routers and various other network devices from
different manufacturers. Society is increasingly becoming more dependent on
computers linked to various types of networks (e.g. LANs, MANs, WANs) most
notably the Internet which has consequently resulted in the exponential growth of
networks. The task of monitoring and managing network resources has therefore
become more taxing and complex. Network administrators are consequently faced
with the challenge of ensuring that customer satisfaction is guaranteed through
constant monitoring and management of network resources.
There are two main types of network monitoring tools which exist on the market
today; the first being dedicated hardware monitoring tools. These provide high
performance characteristics, but lack flexibility and are generally more expensive.
The second option is software-based monitoring tools which are usually slower in
comparison to the former but are much cheaper and offer the added advantage of
flexibility in terms of software modifications and upgrades. The software-based
option is the preferred solution used in most modern networks and forms the basis of
this project.
Without information about a stream of data packets from intermediate hops within a
network, end-to-end systems (interconnected) are often unable to identify and
diagnose problems within the network. For network monitoring software to efficiently
monitor network performance, the application must first know the current network
properties and what is happening to its data. By capturing data packets and analyzing
them, information can be gathered about the source of the packets, their usefulness,
and quantity.
With such gathered information, a network administrator can thus be able to deduce
which client machines are utilizing extraordinary amounts of bandwidth at the
expense of other users, the presence of daemon software running on the network,
hacker intrusions and so on.
1
This project work sets out to identify several common problems that are not
adequately addressed by existing software monitoring tools and also addresses the
end-user side of the problem. The software development is intended to be open
source, implying that the source code is freely available to any interested
programmers wishing to enhance the scope of the software.
It is thus obvious that such a scenario would be hectic, if not impossible for the
network administrator to monitor and avert individually from each of the hundreds of
workstations in the Internet café.
2
1.2 Aim
The main aim of this project is to design and implement a software-based monitoring
tool for IP networks.
1.3 Objectives
The specific objectives of this project are as follows;
i) To design and develop a software-based tool capable of efficiently monitoring
IP network parameters.
ii) To design and develop a software tool capable of aiding network
administrators in carrying out their daily responsibilities.
iii) To design and develop software that has a user-friendly graphical user
interface (GUI).
iv) To design and develop software that is open source and easily upgradeable.
Another very crucial requirement for corporate organizations is data security within
Intranets and LANs. By analyzing different ports for intrusion detection (for example
hackers) and malicious daemon software like spyware, malware etcetera such
problems can be identified by the software and appropriate action taken by the
network administrator thereafter.
With this software, a network administrator should be able to ensure that network
uptime and efficiency are optimized to client satisfaction and in the event of
problems, informed troubleshooting measures taken based on information gathered by
the software.
3
1.5 Scope of the Study
The scope of this project included the following;
Intensive studying of how networks operate in general with the aid of network
models (for example OSI reference model and TCP/IP models) and also
research on various protocols, and Protocol Data Units (PDU's) like frames
structure, packets and their fields.
Research work on network programming using C++ (with ports and sockets)
on Win32 platforms.
Acquaintance with a public Application Programming Interface (API) called
WinPcap, which was be used to interface the software with the operating
system‟s kernel.
Designing and compilation of the source code using Borland‟s C++ Builder
6.0‟s Integrated Development Environment (IDE) and WinPcap.
Testing, analysis and evaluation of statistics gathered by the software on a
working LAN.
1.6 Methodology
The following categorical steps were carried out in order to achieve the aim of the
project;
a) Making comparative investigations and analysis of various software-based
monitoring tools available on the market today (that is; limitations, operation,
capabilities etcetera).
b) Researching from various sources about how networks operate (basing on the
TCP/IP and OSI reference models) and network monitoring from various
primary sources like the Internet, Textbooks and Journals.
c) Conducting consultative or informative meetings with internal and external
supervisors concerning the project scope.
d) Acquaintance with network programming in C++, with particular emphasis on
Borland‟s C++ Builder 6.0 as the chosen IDE to use for developing the
software application.
e) Obtaining a public Application Programming Interface (API) to use for
interfacing the compiled program with the Operating System‟s Kernel. An
open-source library was therefore obtained called “WinPcap” (Windows
Packet Capture) from the Internet site: http://www.winpcap.org.
4
f) Compiling source code with the aid of exported functions from the WinPcap
API for using gathered theory from various sources as elaborated above.
g) Participating in online discussion forums (blogs) on the internet and reading
FAQ‟s from various sites so as to get first hand assistance from other
programmers.
http://www.tcpdump.org/wpcap.html
http://winpcap.mirror.ethereal.com/misc/faq.html
http://netgroup/winpcap
h) Designing of a simple peer-to-peer network to use as a test bed for the
developed software application.
i) Analysis of captured data from the software program, so as to present it in an
easily comprehendible form using the software‟s GUI.
j) Carrying out various tests and evaluations of the software program on different
versions of Windows (Windows 95/98/2000/XP) and different network
protocols for example dial-up PPP and Ethernet to check for any compatibility
issues.
1.7 Summary
This chapter gives a brief introduction of what the project is all about and its
relevance in today‟s society. It also lays out a specified number of objectives and an
overall aim alongside giving the significance and scope of the project and how the
overall activities in the project were carried out.
5
CHAPTER TWO
Theoretical Background
2.0 Overview of Network Monitoring
Networking basically refers to connecting two or more computers for the purpose of
sharing various hardware, software, and data resources.
On the other hand, Guy Antony Halse (2003) refers to network monitoring as a system
that simply observes and reports on a network, without taking any corrective action of
its own accord.
6
2.1.1 Importance of Bandwidth
Bandwidth is defined as the amount of information that can flow through a network in
a given period of time. Bandwidth is a limited resource and it is important to
understand the concept of bandwidth for the following reasons.
Cost factor: the cost of bandwidth increases proportionally with cost. Very high
bandwidth is possible within LANs depending on the end-user equipment being used.
However, for WAN connections like the Internet, it is usually necessary to buy
bandwidth from a service provider along with the appropriate equipment which can be
quite costly. In such cases, individual users and businesses can save a lot of money if
they understand bandwidth and how its demand changes over time.
Limited capacity: regardless of the media being used to build a network, there are
limits on the network capacity to carry information. Bandwidth is limited by the laws
of physics and by the technologies used to place information on the media.
7
Digital bandwidth measures how much information can flow from one place to
another in a specified amount of time. The fundamental unit of measurement for
digital bandwidth is bits per second (bps). Since LANs are capable of speeds up to
thousands or millions of bits per second, measurements are normally expressed in
kilobits per second (kbps) or megabits per second (mbps). Physical media, current
technologies, and the laws of physics limit bandwidth. Digital Bandwidth varies
depending upon the type of media as well as the LAN and WAN technologies used.
The physical differences in the way signals travel result is a fundamental limitations
on the information carrying capacity of a given medium. However, the actual
bandwidth of a network is determined by a combination of the physical media and the
technologies chosen for signaling.
Analog bandwidth on the other hand refers to the frequency range of analog
electronic systems. Analog bandwidth can be used to describe the range of
frequencies transmitted by a radio station or an electronic amplifier. The unit of
measurement for analog bandwidth is hertz (Hz), the same as the unit of frequency.
For the purpose of the project, Digital Bandwidth was reviewed in further detail.
Throughput refers to the actual measured bandwidth, at specific times of the day,
using specific Internet routes, and while a specific set of data is transmitted on the
network.
Actual File Size (Bits)
Throughput =
Figure 2: Throughput formula File Transfer
(Bps)
Time (Seconds)
Note:
The result is an estimate only, because the file size does not include any
overhead (additional information) added by encapsulation process.
Throughput formula gives a more accurate value of bandwidth.
8
2.2 Network Monitoring Modes
Network monitoring modes refer to the manner in which information is extracted by
monitoring tools. There are basically two modes for monitoring networks currently
adopted as follows;
9
2.3.1 Local Area Networks
A Local Area Network (LAN) is a collection of computers that share hardware,
software, and data over a relatively smaller geographical area than usually limited to
buildings. Some common LAN technologies include the following;
Ethernet (IEEE 802.3): uses a bus topology and relies on Carrier Sense
Multiple Access/Collision Detection (CSMA/CD) to regulate traffic on a
network.
Token Ring (IEEE 802.5): uses a logical ring topology and relies on token
passing to control information flow.
Fiber Distributed Data Interface (FDDI): uses a logical ring topology to
control information flow and a physical dual-ring topology.
10
The OSI Reference model is an attempt by the International Standards Organization
(ISO) to standardize the way that computer systems communicate with each other.
Although there are several OSI models, the most widely used one is the OSI
Reference model (figure 3a). This seven layer model is intended to ensure
interoperability between different protocols and methods of communication.
11
Protocol Data Units
7 APPLICATION
4 APPLICATION
6 PRESENTATION Data
5 SESSION
4 TRANSPORT
Data 3 TRANSPORT
Segments
3 NETWORK
Packets 2 INTERNET
Although some of the layers in the TCP/IP model have the same names as layers in
the OSI model, the layers of the two models do not correspond exactly. Most notably,
the application layer has different functions in each model.
With interest to the project scope, only the area of performance management
contained in the OSI Network Management model is examined.
Performance Monitoring: this looks at the current and expected performance of the
network. Elements of network performance that may be monitored include network
bandwidth/throughput, availability, and utilization. This information may be
compared to theoretical performance levels or historical averages in order to
determine how well the network is currently performing. Unusual changes in
performance may help to predict network faults before they occur, enabling network
monitoring.
13
2.5 Network Protocols
According to Tim Parker (2001), a protocol is a formal description of a set of rules
and conventions that govern a particular aspect of how devices on a network
communicate. Because telecommunications systems use a wide variety of hardware
and software, protocols are needed to coordinate communication.
Protocols determine the format, timing, sequencing, and error control in data
communication. Without protocols, computers cannot make or rebuild streams of
incoming bits from another computer into their original format. Protocol suites on the
other hand are collections of protocols that enable network communication between
hosts. Protocols control all aspects of data communication, including the following:
How the physical network is built
How computers connect to the network
How the data is formatted for transmission
How that data is sent
These network rules are created and maintained by many different organizations and
committees. Included in these groups are the Institute of Electrical and Electronic
Engineers (IEEE), American National Standards Institute (ANSI),
Telecommunications Industry Association (TIA), Electronic Industries Alliance (EIA)
and the International Telecommunications Union (ITU), formerly known as the
Comité Consultatif International Téléphonique et Télégraphique (CCITT).
Some examples of the most common protocols specified by the TCP/IP reference
model layers are illustrated in figure 4 below.
Application
Layer 4
Transport
Layer 3
Network Access
Layer 1 Ethernet Token FDDI
Ring
Figure 4: Protocols
14
2.5.1 Layer 4 Protocols
File Transfer Protocol (FTP) is a reliable, connection-oriented service that uses TCP
to transfer files between systems that support FTP. It supports bi-directional binary
file and ASCII file transfers.
Trivial File Transfer Protocol (TFTP) is a connectionless service that uses the UDP.
TFTP is used on the router to transfer configuration files and Cisco IOS images, and
to transfer files between systems that support TFTP. It is useful in some LANs
because it operates faster than FTP in a stable environment.
Network File System (NFS) is a distributed file system protocol suite developed by
Sun Microsystems that allows file access to a remote storage device such as a hard
disk across a network.
Simple Mail Transfer Protocol (SMTP) administers the transmission of e-mail over
computer networks. It does not provide support for transmission of data other than
plain text.
Telnet; Telnet provides the capability to remotely access another computer. It enables
a user to log into an Internet host and execute commands. A Telnet client is referred to
as a local host. A Telnet server is referred to as a remote host.
Domain Name System (DNS) is a system used on the Internet to translate domain
names and publicly advertised network nodes into IP addresses.
15
2.5.2 Layer 3 Protocols
Transmission Control Protocol (TCP) is a communications protocol that provides
reliable (connection-oriented) transfer of data and defines how data is transferred
across the Internet. The functions of TCP are as follows:
Establishing end-to-end connectivity
Providing flow control
Ensuring reliability through the use of sequence numbers and
acknowledgments
Segment upper-layer application data
Send segments from one end device to another
Address Resolution Protocol (ARP) determines the data link layer address, or MAC
(Media Access Controller) address, for known IP addresses.
16
Software drivers for software applications (including WinPcap), modem cards, and
other devices operate at the network access layer. The network access layer defines
the procedures used to interface with the network hardware and access the
transmission medium.
Serial Line Internet Protocol (SLIP); Modem protocol standards used to provide
network access through a modem connection.
Network access layer protocols map IP addresses to physical hardware addresses and
encapsulate IP packets into frames. The network access layer defines the physical
media connection based on the hardware type and network interface.
18
Figure 5 below illustrates how each layer adds (or removes) header information to
data traveling away from (or toward) the application layer.
19
Destination Field: this contains the destination address which can be either a unicast,
multicast, or broadcast.
Length/Type field: specifies the exact length of a frame in bytes and the Layer 3
protocol used by the device that wants to send data.
Data field: This field is used for inserting data into the frame. If there is not enough
user data to insert so as to meet the minimum frame length, extra data called padding
is inserted.
Frame Check Sequence (FCS) field: contains a four byte number used by the
destination computer to calculate errors in the frame. The FCS can be calculated using
either Cyclic Redundancy check (CRC), Two-dimensional parity checks or Internet
checksum.
The Hardware alternative will not be discussed here because it is beyond the scope of
this project.
20
Some common high-level programs for monitoring networks include the following;
Smart Sniff allows you to capture TCP/IP packets that pass through your
network adapter, and view the captured data as sequence of conversations
between clients and servers. http://www.nirsoft.net.
Ping is a tool commonly used to test for network connectivity of various hosts
and network devices.
21
2.8.3 SNMP Approach
One of the most widely used approaches to network management is the Simple
Network Management Protocol (SNMP). This protocol was originally formulated in
1988 through RFC 1067. Since then it has undergone many changes and is currently
in version three of the protocol (as defined by RFC 1157).
Note: Although the term packet capture is synonymously with frame capture, but in
actual sense the latter is more appropriate, since the capture process is done at the
data-link layer of the OSI model.
22
2.9.1 Structure of the Capture Stack
In order for a software-based monitoring application to capture information, there is
need for direct interaction with the network hardware. For this reason the operating
system should offer a set of capture primitives to communicate and receive data
directly from the network adapter. Primitives are basically used to capture packets
from a network, and transfer them to the calling programs.
2.9.1.2 Kernel-Level
The packet capture section of the kernel should be quick and efficient because it must
be able to capture packets also on networks operating at various speeds like high-
speed LANs with heavy traffic, limiting losses of packets and using a small amount of
system resources. Packet Capture driver is the lowest level software module of the
capture stack. It is the part that works at kernel level and interacts with the network
adapter to obtain the packets. It supplies the applications a set of functions used to
read and write data from the network at data-link level. The Kernel also comprises a
filter which can be used to filter out various captured frames from the network
depending on the user‟s input.
2.9.1.3 User-Level
The user-level consists of the system independent dynamic link libraries wpcap.dll,
packet.dll and the capture application which receives packets from the system,
interprets, processes and outputs information to the user in an intelligible manner. The
Wpcap.dll is a system independent dynamic library that is used by the capture part of
the applications. It interacts with Packet.dll so as to provide the applications with a
higher level and powerful capture interface. Packet.dll works at the user level, but is
separated from the capture program. It is also dynamic link library that isolates the
capture programs from the driver providing a system-independent capture interface.
The software monitoring tool is the user interface of the capture program. It manages
the interaction with the user and displays the result of a capture.
23
The structure of the capture stack from the network adapter to an application level is
shown in figure 7 below.
SOFTWARE
MONITORING
TOOL
Wpcap.dll
USER
User Buffer LEVEL
Packet.dll
Packet Capture
Driver
Kernel Buffer
KERNEL
Filter LEVEL
NIC Driver
TCP/IP
NETWORK NETWORK
LEVEL
Note: Buffers are used at the Kernel and User-levels to provide a temporary store for
captured frames.
24
2.10 Application Programming Interface
According to nhse.cs.rice.edu/nhsereview/cms/chapter6.html, an API is a set of
library routine definitions with which third party software developers can write
portable programs. Examples are the Berkeley Sockets for applications to transfer
data over networks, those published by Microsoft for their Windows GUI and the
Open/GL graphics library initiated by Silicon Graphics Inc. for displaying three
dimensional rendered objects.
The WinPcap API consists of a dynamic link library containing a lists of the functions
(refer to Appendix E). According to www.sabc.co.za/manual/ibm/9agloss.html, a
DLLis a file containing executable code and data bound to a program at load time or
run time, rather than during linking and can be loaded and executed by programs
dynamically. Several applications can share the code and data in a dynamic link
library simultaneously.
2.11 Summary
This chapter gives an overview of the relevant theory involved in the design and
implementation of this project with their references. An in-depth knowledge of this
theoretical background is a pre-requisite before any programming can begin since it
forms the basis for the project work.
25
CHAPTER THREE
Design and Implementation
3.0 Design Stages
The design and implementation of the software-based monitoring tool involved
several stages (some of which are elaborated in the chapter four) as outlined below;
1. Developing an algorithm to use for capturing frames and analyzing captured
data.
2. Loading the system independent dynamic link library (wpcap.dll) into run-
time memory so as to exploit its functions, subroutines and data structures or
class descriptions.
3. Getting addresses of the library routines.
4. Compiling the source code for the monitoring tool based on the algorithm
developed.
5. Debugging errors and exceptions in the program source code.
6. Designing a simple peer-to-peer network to use as a test bed for the developed
software.
7. Simulating traffic conditions (for example data transfers across the peer-to-
peer network) and using the developed software to perform various tests and
evaluations for analysis of captured data.
8. Designing a user friendly GUI for the end-user.
NB. All code in the program was compiled in C++ using Borland‟s C++ Builder
IDE.
26
3.1.2 Getting Function Addresses
Pointers to the individual DLL functions had to be declared in the function prototypes
since the DLL loads in a different memory space (i.e. run-time) as illustrated in the
code snippet below;
After declaring the individual functions to be exported by the DLL, function addresses
were obtained using the code snippet shown below for each individual function.
(FARPROC)(pcap_findalldevs_ex = GetProcAddress(“wpcap.dll”,"pcap_findalldevs_ex");
A brief summary of the functions exported from wpcap.dll is shown in table 1 below;
27
3.2 Program Algorithm
A program flowchart was developed as illustrated in figure 8 below to ease the task of
developing the source code.
28
3.3 High-Level Programming
The source code for the program was developed using Borland‟s C++ Builder 6.0
Integrated Development Environment (IDE). An IDE is a GUI workbench for
developing code, featuring facilities like symbolic debugging, version control, and
data-structure browsing.
Borland‟s C++ Builder 6.0‟s IDE combines the editor, compiler, debugger and other
useful tools in the same software package. The source code was therefore compiled
with the aid of the algorithm illustrated previously in figure 8.
The debugging process was also simplified using Builders IDE and a list of imported
functions generated using the MS-DOS command-line tool IMPDEF.exe. Another
useful command-line tool used “COFF2OMF.exe” converts a COFF import library
file (Input File) to a corresponding OMF import library file (Output File). Both these
tools are located in the C++ Builder BIN directory.
Bytes Sent/Receive
Capture statistics
displayed graphically
i.e. Bytes sent/received
versus Time (msec)
Time (milliseconds)
The bandwidth formulas in figures 1 and 2 were used to calculate the throughput rate
obtained in figure 10 above. File sizes are extracted using software implementation
from the data fields of individually captured frames along with time stamp values.
3.4 Summary
This chapter summarizes how the design and implementation of the project was
undertaken so as to achieve the desired results. It also presents illustration of how the
GUI of the software interface appears alongside its functionality.
30
CHAPTER FOUR
Testing and Evaluation
4.0 Test Bed Design
The test bed used in carrying out tests and evaluating the software monitoring tools
performance as designed as illustrated in the peer-to-peer network shown in figure 11
below with the specified configuration settings.
Cat5e cross-over
Cable
RJ-45
Pins
IP address: 192.168.0.4 IP address: 192.168.0.3
Subnet mask 255.255.255.0 Subnet mask 255.255.255.0
Workgroup: TEST Workgroup: TEST
Figure 11: Test Bed Setup
In order to run the Software-based Monitoring Tool and carry out a capture session,
WinPcap 4.0 had to be installed on the machine meant to monitor the network. A
cross-over cable was terminated using Cat5e Ethernet cable according to the cabling
standards (T568A and T568B) shown in tables 2 and 3 below.
31
One end of the RJ-45 pin was terminated using a crimping tool and T568A standard
whilst the other end was terminated using another RJ45 pin and T568B standard.
Thereafter a cable tester was used to verify that the cross-over cable had been
properly terminated.
From the illustration in figure 12 above, the software was able to capture the list of
Network Devices resident on the machine when run on a PC with the following
specifications;
32
System:
Microsoft Windows XP Professional
Version 2002
Computer:
Intel(R)
Celeron(R) CPU 2.40 GHz
384 MB of RAM
Network Cards
Realtek RTL8139/810X Family PCI Fast Ethernet NIC
4.1.2 IP Information
The Monitoring tool was also able to capture IP address information as illustrated in
figure13 below
33
4.1.3 Capture Statistics
The actual capture session consisted of gathering statistics like time stamps, header
lengths and header time values as shown in the snapshot figure 14 below;
4.2 Applications
The developed software operates in mainly Ethernet and FDDI networks thereby
serving having a variety of applications.
34
4.3 Limitations
The limitations encountered while carrying out the design and implementation of the
project included the following;
The public API WinPcap had limited capabilities in terms of capturing data.
Since capturing of frames was limited to promiscuous mode, the software is
thus most efficient when implemented in networks utilizing shared media
devices like Hubs.
There was no readily available access of a TCP/IP network to use as a test bed
when analyzing the designed software‟s functionality.
WinPcap does not offer support for Token Ring networks.
Time and funds were also another limiting factor hindering the designer/researcher in
exploiting the software‟s potential to greater depths.
Note: The reader must bear in mind that the costs involved in designing, testing and
implementing of all the project activities as stated is not representative of the
actual cost of the designed “Software-based Monitoring Tool”.
4.6 Summary
This chapter summarizes how the testing of the software and evaluation of the
captured data was carried out so as to ensure the monitoring tool was operating to the
desired or acceptable levels in accordance with its objectives. It also lists the possible
applications of the monitoring tool, its limitations and gives a summary how project
work was broken down to achieve the desired objectives.
35
CONCLUSION
In any network segment, it is expected that end-users will contribute equal or unequal
amounts of the overall bandwidth capacity available. However, because bandwidth is
a limited and costly resource, constant monitoring of its usage is essential in
maintaining optimal network performance efficiency. The Software-based Monitoring
tool designed was thus able to satisfy its aim and specific objectives though with some
limitations as earlier stated in Chapter four.
This software was tested on a peer-to-peer network and a shared dial-up internet
connection with the intention of discovering common network performance problems
and so as to develop innovative solutions to the problems that were identified. It must
be stated however that the Software-based Monitor is an informative tool meant for
network administrators to use in identifying network bottlenecks and thereafter take
corrective action.
The following are the achievements which have been made in this project using the
designed software. The monitoring tool was able to obtain;
i) IP address configuration information for the PC in use.
IP address of PC
Address Family number in use on PC
Address Family name in use on PC
Subnet mask of PC in both decimal and IP address form
Broadcast address of PC
ii) Frame capture statistics including the following:
Header lengths
Header time values
Time stamps of the frames transiting the network
iii) Extraction of source and destination information of PCs in a particular
network segment including the following
Active ports i.e. for the source and destination PC‟s
Source IP address
Destination IP Address
36
From the project costing (Appendix A) and comparative studies carried out about
existing monitoring solutions, it can thus be stated that the software-based monitoring
approach is generally much more cheater than the hardware alternative.
Software monitoring tools also offer the added advantage of flexibility in design and
maintenance work and costs. This is because software can be easily re-customized to
user-specific needs so as to meet future demands.
37
RECOMMENDATIONS
Further Research
Shortfalls/limitations in the software-based approach were discussed in Chapter four‟s
limitations with the hope of laying out a framework for future development of this
project to set off and perhaps provide a more complete and robust solution to the
problem.
Since the software is intended to be open source, I recommend this project for further
research so as to exploit its full potential. The source code can be obtained upon
request in writing using the researchers email indicated at the end of the abstract.
38
BIBLIOGRAPHY
Textbook References
1. Allan Dix, (1996), UNIX Network Programming with TCP/IP
2. Aptech Worldwide, (2000), Logic Building with C, New Jersey.
3. H. Gilbert, (1995), Introduction to TCP/IP, PCLT.
4. Jesse Liberty, (1998), Teach Yourself C++ Programming in 21 Days, Sam‟s
Publishing, Indianapolis
5. Marshall T. Rose, (1991), The Simple Book: An introduction to management
of TCP/IP-based internets, Prentice-Hall.
6. Mike Pastore and Emmett Dulaney, (2004), Security+ Study Guide, (2nd
Edition), San Francisco.
7. Tim Parker, (2005), Teach Yourself TCP/IP in 14 Days, (2nd Ed.), (2nd
Edition), Sam‟s Publishing, Indianapolis.
8. Todd Lammle, (2005), CCNA: Cisco ®Certified Network Associate Study
Guide, (5th Edition), San Francisco
9. V. Jacobson, C. Leres and S. McCanne (1994), Libpcap, (1st Edition),
Lawrence Berkeley Laboratory, Berkeley, California.
Catalogues
1. S. McCanne and V. Jacobson, (2003), The BSD Packet Filter: A New
Architecture for User-level Packet Capture, Proceedings of the 1993 Winter
USENIX Technical Conference, San Diego, CA.
39
Websites
1. en.wikipedia.org/wiki/networkmonitoring
2. http://lastbit.com/trafmeter
3. http://netgroup/winpcap
4. http://winpcap.mirror.ethereal.com/misc/faq.htm
5. http://www.cisco.netacad.net
6. http://www.codeproject.comhttp://erwan.l.free.fr
7. http://www.hcibook.com/alan
8. http://www.hiraeth.com/alan/tutorials
9. http://www.iec.org
10. http://www.nirsoft.net. http://www.tcpdump.org/wpcap.html
11. http://www.solarwinds.net
12. http://www.tcpdump.org/wpcap.html
13. http://www.winpcap.org
14. http://www.winpcap.org/docs
15. nhse.cs.rice.edu/nhsereview/cms/chapter6.html
16. www.100best-web-hosting.com/termn.html
17. www.course.com/careers/glossary/programming.cfm
18. www.faqs.org/docs/artu/apa.html
19. www.sabc.co.za/manual/ibm/9agloss.html
Manuals
1. Borland‟s C++ Builder 6.0 Help Files
2. Microsoft/Windows Standard Development Kit (SDK)
3. The WinPcap Team, (2007), WinPcap Documentation 4.0, CACE
Technologies, Politecnico di Torino, Turin, Italy.
40
APPENDICES
41
Appendix B: Work Breakdown Structure
42
Appendix C: Tracking Gantt chart
43
Appendix D: Well Known Port Numbers
Port No Port Name
1 TCPMUX TCP Port Service Multiplexer
5 RJE Remote Job Entry
7 ECHO
9 DISCARD
11 USERS Active Users
13 DAYTIME
17 Quote of the Day
19 CHARGEN Character Generator
20 FTP-DATA File Transfer (Data Channel)
21 FTP File Transfer (Control Channel)
23 TELNET
25 SMTP Simple Mail Transfer
27 NSW-FE NSW User System FE
29 MSG-ICP
31 MSG-AUTH MSG Authentication
33 DSP Display Support Protocol
35 Private Printer Server
37 TIME
39 RLP Resource Location Protocol
41 GRAPHICS
42 NAMESERVER Host Name Server
43 NICNAME Who Is
49 LOGIN Host Protocol
53 DOMAIN Name Server
67 BOOTPS Bootstrap Protocol Server
68 BOOTPC Bootstrap Protocol Client
69 TFTP Trivial File Transfer Protocol
79 FINGER
101 HOSTNAMENIC Host Name Server
102 ISO-TSAP ISO TSAP
103 X400 X.400
104 X400SND X.400 SND
44
105 CSNET-NSCSNET Mailbox Name Server
109 POP2 Post Office Protocol v2
110 POP3 Post Office Protocol v3
111 SUNRPC SUN RPC Portmap
137 NETBIOS-NS NETBIOS Name Service
138 NETBIOS-DGMNET BIOS Datagram Service
139 NETBIOS-SSNNET BIOS Session Service
146 ISO-TP0
147 ISO-IP
150 SQL-NET
153 SGMP
156 SQLSRV SQL Service
160 SGMP-TRAP5 SGMP TRAPS
161 SNMP
162 SNMPTRAP
163 CMIP-MANAGE CMIP/TCP Manager
164 CMIP-AGENT CMIP/TCP Agent
165 XNS-COURIER Xerox Network
179 BGP Border Gateway Protocol
45
Appendix E: Exported WinPcap Functions
46
pcap_getevent @33 pcap_getevent
pcap_getnonblock @34 pcap_getnonblock
pcap_is_swapped @35 pcap_is_swapped
pcap_lib_version @36 pcap_lib_version
pcap_list_datalinks @37 pcap_list_datalinks
pcap_live_dump @38 pcap_live_dump
pcap_live_dump_ended @39 pcap_live_dump_ended
pcap_lookupdev @40 pcap_lookupdev
pcap_lookupnet @41 pcap_lookupnet
pcap_loop @42 pcap_loop
pcap_major_version @43 pcap_major_version
pcap_minor_version @44 pcap_minor_version
pcap_next @45 pcap_next
pcap_next_etherent @46 pcap_next_etherent
pcap_next_ex @47 pcap_next_ex
pcap_offline_filter @48 pcap_offline_filter
pcap_offline_read @49 pcap_offline_read
pcap_open @50 pcap_open
pcap_open_dead @51 pcap_open_dead
pcap_open_live @52 pcap_open_live
pcap_open_offline @53 pcap_open_offline
pcap_parsesrcstr @54 pcap_parsesrcstr
pcap_perror @55 pcap_perror
pcap_read @56 pcap_read
pcap_remoteact_accept @57 pcap_remoteact_accept
pcap_remoteact_cleanup @58 pcap_remoteact_cleanup
pcap_remoteact_close @59 pcap_remoteact_close
pcap_remoteact_list @60 pcap_remoteact_list
pcap_sendpacket @61 pcap_sendpacket
pcap_sendqueue_alloc @62 pcap_sendqueue_alloc
pcap_sendqueue_destroy @63 pcap_sendqueue_destroy
pcap_sendqueue_queue @64 pcap_sendqueue_queue
pcap_sendqueue_transmit @65 pcap_sendqueue_transmit
pcap_set_datalink @66 pcap_set_datalink
pcap_setbuff @67 pcap_setbuff
pcap_setfilter @68 pcap_setfilter
47
pcap_setmintocopy @69 pcap_setmintocopy
pcap_setmode @70 pcap_setmode
pcap_setnonblock @71 pcap_setnonblock
pcap_setsampling @72 pcap_setsampling
pcap_setuserbuffer @73 pcap_setuserbuffer
pcap_snapshot @74 pcap_snapshot
pcap_stats @75 pcap_stats
pcap_stats_ex @76 pcap_stats_ex
pcap_strerror @77 pcap_strerror
wsockinit @78 wsockinit
48